Control Logs show 0 bytes when the Application Control rule for "Log files written to USB drives" is enabled.
Last Updated January 30, 2015
1. When a user copies a file to a removable USB device, the Control log File Size shows it as 0 Bytes, but when the same file is copied to a removable drive, the Control log File Size shows the actual size of the file.
2. When files are copied to a removable USB device, the Control log always has a pair of entries. (File Write, File Delete) However, when files are deleted from the removable USB device, the Control log has only one entry, File Delete.
- The file size appears as 0 bytes rather than the actual file size when the application control rule triggers before a process creates or writes a file. This is by design and is documented in the SEP client interface.
Please use Help> Help Topics>Search, and type – “0 bytes” Click on -> Client Management Log: Control Log
- When a file is copied to a USB drive, it uses “Explorer.EXE” as caller process. When Explorer.EXE copy files to a folder, it tries the operation with "WRITE"+"READ attribute" AND "DELETE" access mask first. If the operation fails, it will try without the "DELETE" access mask. Our Application Control is based on the access mask checking. So two log entries will be added and when a file is deleted, only a File Delete entry is present.
This is by design.
Imported Document ID: TECH167002
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe